One of the most frequent support enquiries I see is some version of "we are a tier-2 supplier to NCC (the prime) - do we need the same DCC level they do?". The question is important because the wrong answer costs suppliers either over-investment in certification they do not need, or under-investment that wrecks a bid. This guide walks through how DCC flows through the MOD supply chain, who holds what, and how suppliers at different tiers should interpret requirements.
The MOD contracts with primes. Primes contract with tier-2 suppliers. Tier-2 suppliers contract with tier-3 suppliers. And so on. Each contract at each tier carries a Cyber Risk Profile set by the party awarding that contract, which in turn maps to a required DCC level.
The critical insight: the CRP is set per contract, not per supplier. A tier-2 supplier can hold three contracts with three different primes and face three different DCC level requirements. The scheme applies to the contracts, not to the supplier's identity as a whole.
From MOD to prime: the MOD specifies the CRP of the head contract based on the sensitivity of the MOD information and the operational importance of the work. The prime must certify to the corresponding DCC level for that contract.
From prime to tier-2: the prime decides the CRP for each sub-contract it awards. It is not obligated to flow the same CRP downstream - a prime holding a Moderate CRP head contract may choose to sub-contract specific packages at Very Low CRP if the sub-contract genuinely involves less sensitive information. In practice, primes often flow down the same or one level lower, to avoid the administrative burden of justifying why a lower CRP is appropriate.
From tier-2 to tier-3: the tier-2 supplier makes the same decision as the prime - setting a CRP for each sub-contract based on the actual sensitivity of the work being done by the tier-3.
The model is effectively: each tier passes down a CRP based on the actual information flowing in that sub-contract, not the CRP of the contract the tier holds upstream.
Getting this wrong in either direction has real commercial consequences.
Under-certified tier-2: a tier-2 supplier that certifies at L0 when the prime's contract actually requires them to hold L1 loses the contract, often after the supplier has already started work. This produces both immediate revenue loss and reputational damage.
Over-certified tier-3: a tier-3 supplier that certifies at L1 "just in case" when the actual sub-contract only requires L0 spends £20,000-40,000 more than necessary on certification. For smaller suppliers this is a material cost.
The correct answer is to confirm the required level with the party awarding the contract before starting certification preparation.
The CRP should be specified in the tender documentation or the contract schedule. If it is not, ask. The request should go to the contracting party (the prime, if you are tier-2; the tier-2, if you are tier-3) with wording along the lines of: "Please confirm the Cyber Risk Profile assigned to this sub-contract under DCC. We understand we will need to certify to the corresponding DCC level and would like to plan the certification engagement accordingly."
Good buyers respond quickly with a clear answer. Less well-prepared buyers sometimes respond with "match the prime's level" or "the same as the head contract", which may or may not be correct. Push back politely and ask for the specific CRP.
If the buyer cannot or will not confirm, err on the side of the higher level. It is better to hold L1 and find the actual requirement was L0 than the reverse.
Prime contractor holding a Low CRP head contract with MOD. Prime needs DCC L1. Tier-2 suppliers handling similar sensitivity of data typically need L1 too. Tier-2 suppliers handling a narrow, much lower-sensitivity slice of the work may be scoped at L0, at the prime's discretion.
Prime contractor holding a Moderate CRP head contract. Prime needs L2. Tier-2 suppliers typically need L1 or L2 depending on the nature of their specific sub-contract. Tier-3 suppliers often land at L0 or L1.
Prime contractor holding a High CRP head contract. Prime needs L3. The supply chain below this typically includes a mix of L2 and L1 tier-2 suppliers.
Small specialist supplier acting as tier-3 to multiple primes. A specialist tier-3 may face different CRPs from different primes. In that case, certify to the highest level the pipeline requires. A tier-3 that needs L1 for one prime and L0 for another should certify at L1 - holding L1 covers both, whereas holding L0 only covers half.
The evidence required at each DCC level is the same regardless of tier - a tier-2 L1 evidence pack looks the same as a prime's L1 evidence pack. What differs is the scale of the evidence and the scope defined.
Primes typically have larger, more complex in-scope boundaries. Their ISMS covers multiple business units, the supplier register is longer, the supply chain assurance is more intricate because they have many tier-2 and tier-3 relationships to manage.
Tier-2s often have simpler in-scope boundaries - a specific business unit that delivers the prime's sub-contracts. The ISMS and governance evidence is proportionate. The supply chain assurance covers the tier-3 suppliers the tier-2 uses.
Tier-3s are often small organisations with very specific scopes - a specialist service, a niche technology capability. The evidence pack is tight. Supply chain assurance is simpler because tier-3s often do not have further sub-contractors in the MOD chain.
What matters is that the evidence demonstrates operational control at the supplier's scale, not enterprise-scale control. An assessor reviewing a five-person tier-3 supplier's L1 evidence is looking for proportionate, real evidence - not an enterprise ISMS.
Every tier-2 and tier-3 sub-contract under a DCC-applicable head contract should include a Security Schedule setting out:
The Security Schedule is the mechanism by which the certification requirement is formalised. A tier-2 supplier holding a sub-contract without a Security Schedule specifying the required DCC level is operating in uncertainty.
See the DCC subcontractor assurance guide for more on the flow-down process.
This happens occasionally: a prime decides mid-contract that a tier-2 needs to upgrade from L0 to L1, usually because the head contract CRP has changed or because the prime's own assurance posture has been tightened. When it happens:
The upgrade path from L0 to L1 is relatively clean for suppliers who have L0 already, because the governance foundation is in place. Starting L1 cold from no DCC certification takes longer.
For tier-2 and tier-3 suppliers bidding for new contracts where the CRP is not specified in the RFP, there are two strategies:
The right strategy depends on win probability and margin. For high-probability, high-value bids, pre-certifying often wins over competitors. For long-shot or low-margin bids, the post-award conditional commitment is usually more appropriate.
DCC levels flow down the supply chain but each tier holds certification for the specific contracts they deliver, not for their identity as a supplier. Confirm the required level with the contracting party before investing in certification. Certify to the highest level your pipeline requires. Keep the Security Schedule current in every sub-contract. And treat the annual attestation as a real assessment, not an administrative formality.
DCC requires suppliers to assure their own suppliers. This means flow-down of security requirements, a documented supplier register, and evidence of supplier due diligence. This guide explains what assessors look for, the common mistakes, and how to build a proportionate supply chain assurance process.
The MOD's move from the self-assessed Supplier Assurance Questionnaire to independently-certified Defence Cyber Certification is the most significant shift in UK supply chain cybersecurity assurance in a decade. The sectors watching closely include critical national infrastructure, financial services, and the NHS - because the direction of travel for all of them is the same.
Small MOD suppliers - one to nine employees - face the same DCC requirements as larger organisations. This guide walks through what DCC Level 0 looks like for a genuinely small business, the specific areas where smaller teams trip up, and how Fig prices and delivers L0 for micro organisations.